CVE-2021-47834

Vulnerability

Description

Schlix CMS 2.2.6-6 is susceptible to a persistent cross-site scripting (XSS) vulnerability in the contact category title field. The application fails to properly sanitize user-supplied input, allowing an authenticated attacker to inject arbitrary JavaScript code. This stored script is then executed when any user views the page containing the crafted category, as demonstrated in the exploit proof-of-concept [1].

Exploitation

Details

An attacker with valid credentials can navigate to the /admin/app/contact section, create a new contact category, and insert a malicious script into the title field. The payload is embedded directly into the HTML output without encoding, leading to execution in the browser of any visitor accessing the contacts page [1][3]. No additional privileges beyond standard user authentication are required.

Impact

Successful exploitation enables the attacker to execute arbitrary JavaScript in the context of the victim's session. This can lead to session hijacking, defacement, or theft of sensitive information, as the script runs within the application's security context [3].

Mitigation

The vendor, Schlix, has not released a specific security advisory, but users are advised to update to the latest version of the CMS or apply input validation and output encoding to prevent such injections. The vulnerability is listed in public exploit databases, indicating active risk [1][2].